Jump to content
Report a V1.0 Bug!

  • HTML injections in dedicated server properties

    DataPocalypse

    By DataPocalypse

     Share

    Summary:

    I'm trying to inject various things in the dedicated server properties to ensure security in my server tracker crawler/web pages. (https://7daystodie.online)
     

    Game Version: Alpha.20.7.1

    Platform:  Steam

    OS/Version: Linux

    CPU Model: Ryzen 5 2600

    Game mode: Dedicated server

     

    Did you wipe old saves? Yes

    Did you start a new game? Yes

    Did you validate your files? Yes

    Are you using any mods? No

    EAC on or off? ON

     

    Status: NEW

     

    Bug Description:

     

    While trying XSS injections, the dedi refused to boot with normal HTML tags inside the ServerDescription property.
      

    <property name="ServerDescription" value="<a href='/testxss.html' onload=alert('xss test')>xss test</a>" />

2023-04-26T11:22:41 0.159 EXC '<', hexadecimal value 0x3C, is an invalid attribute character. Line 8, position 47.


    So this looks normal behavior.

    And I tried to convert in HTML Entities :
      

    <property name="ServerDescription" value="&#x3C;a href=&#x22;/testxss.html&#x22; onload=&#x22;alert(&#x27;xss test&#x27;)&#x22;&#x3E;xss test&#x3C;/a&#x3E;" />


    And this one worked, but the HTML Entities are computed to valid HTML tags by the dedicated server :
    Screenshot of telnet query uploaded with the post.
    You can also see the result in the tracker that have xss protections but it show a valid HTML tag :
    https://7daystodie.online/servers/17147-europe-france-7daystodie-online-server-tracker-community

     

    Detailed steps to reproduce the bug:

     

    1) Just use the ServerDescription property above with HTML Entities

     

     

    Expected result:

    I didn't digged in the dedi Assembly.dll yet, I have no visual studio setup at this time, and can't see if it's a normal behavior or not.
    I know there is some markup to colorize text, and this is our web dev responsibility to ensure injections will not happen, but the game should not compute such things like HTML Entities.
    This may be the door to other injections with c# or in-game things that I have not discovered/tried yet.

    Thank you in advance! 🍻
     

    1
     Share
    Go to records

    User Feedback

    Recommended Comments



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...